Available Zones
The following table summarizes the zones that can be queried, the Spamhaus databases they are connected to, and the possible return codes (represented by A records in the answers to DNS lookups, and by numeric response codes in HTTP lookup replies).
The last two return codes are associated with invalid DQS keys and apply to any query made using such keys.
Return Codes
DNSBLs return one or more A records for positive replies.
Each returned A record (associated with a different IP) is used to represent a specific message.
Return codes provided by the HTTP API are 1-to-1 mapped to such A records.
Zone | Type | Database | Return Codes |
---|---|---|---|
sbl | IP | SBL | * 127.0.0.2 (1002) - SBL * 127.0.0.3 (1003) - CSS (automated) * 127.0.0.9 (1009) - DROP (always in addition to SBL) * 127.0.0.8 (1008) - currently unused * 127.0.0.30 (1030) - BCL |
xbl | IP | XBL | * 127.0.0.4 (1004) - XBL * from 127.0.0.5 (1005) to .7 (1007) - currently unused |
sbl-xbl | IP | SBL+ XBL |
* 127.0.0.2 (1002) - SBL * 127.0.0.3 (1003) - CSS * 127.0.0.9 (1009) - DROP * 127.0.0.4 (1004) - XBL (see details above) * 127.0.0.30 (1030) - BCL |
pbl | IP | PBL | * 127.0.0.10 (1010) - entry maintained by ISP * 127.0.0.11 (1011) - entry maintained by Spamhaus |
zen | IP | SBL+ XBL+ PBL |
* 127.0.0.2 (1002) - SBL * 127.0.0.3 (1003) - CSS * 127.0.0.9 (1009) - DROP * 127.0.0.4 (1004) - XBL * 127.0.0.10 (1010) - PBL * 127.0.0.11 (1011) - PBL (see details above) * 127.0.0.30 (1030) - BCL |
authbl | IP | AuthBL | * 127.0.0.20 (1020) - AuthBL |
dbl | Domain | DBL | * 127.0.1.2 (2002) - low-reputation domain * 127.0.1.4 (2004) - phishing-related domain * 127.0.1.5 (2005) - malware-related domain * 127.0.1.6 (2006) - botnet C&C domain * 127.0.1.102 (2102) - abused-legit domain * 127.0.1.103 (2103) - abused redirector * 127.0.1.104 (2104) - abused domain used in phishing * 127.0.1.105 (2105) - abused domain used by malware * 127.0.1.106 (2106) - abused domain hosting C&C * 127.0.1.255 - ERROR: IP queries not allowed (DNS only) |
zrd | Domain | ZRD | * 127.0.2.2 (3002) - domain first seen from 0 to 2 hours ago * 127.0.2.3 (3003) - domain first seen from 2 to 3 hours ago * […] * 127.0.2.24 (3024) - domain first seen from 23 to 24 hours ago * 127.0.2.255 - ERROR: IP queries not allowed (DNS only) |
hbl | SHA256 or SHA1 Hash |
HBL | In _file context: * 127.0.3.10 (4010) - Malware file * 127.0.3.15 (4015) - Suspicious file In _cw context: * 127.0.3.20 (4020) - CryptoWallet address observed in spam In _email context: * 127.0.3.2 (4002) - Email address observed in spam In _url context: * 127.0.3.30 (4030) - URL observed in spam. |
ANY | IP, Domain |
none | * 127.255.255.250 (256250) - ERROR: DQS key disabled * 127.255.255.251 (256251) - ERROR: DQS key illegally used * 127.255.255.252 (no HTTP API) - typing error in DNSBL name |